Users handling JPEG files on their PCs could be vulnerable to an attack. Microsoft has discovered a security flaw in the way many Microsoft applications process JPEG images.
Any program that processes JPEG images could be vulnerable, Microsoft Microsoft said in a Security Bulletin . To take advantage of the flaw, an attacker would have to persuade a user to open a specially crafted image file. The image could be hosted on a website, included in an e-mail, Office document or hosted on a local network, Microsoft said.
A wide range of Microsoft software, including various versions of its Windows and Office products, is vulnerable. Additionally, applications created with Microsoft's Visual Studio developer tool or the.Net Framework and third-party applications that distribute their own copy of the vulnerable JPEG parsing engine may also be vulnerable, Microsoft said.
Along with the Security Bulletin, Microsoft made available software updates to correct the flaw in its products. The software maker also offers a tool to scan a PC for certain installed products that are known to contain the vulnerable JPEG image processing engine.
Microsoft rates the flaw "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
In Microsoft's rating system for security issues, vulnerabilities that could allow a malicious Internet worm to spread without any action required on the part of the user are rated critical. Issues that will not lead to the spread of a worm without any action taken by the user, but could still expose user data or threaten system resources, are rated important.
The JPEG flaw was reported privately to Microsoft and had not been previously disclosed. There have been no reports of the issue being exploited in the wild, Microsoft said.
In addition to the JPEG issue, Microsoft warned of a flaw in the WordPerfect 5.x Converter that it supplies as part of Office 2000, Office XP, Office 2003 and recent editions of its Works Suite.
The WordPerfect converter flaw, which Microsoft rates "important," could allow an attacker to gain full control over a victim's PC, Microsoft said. A software patch is available for the vulnerable products to fix the problem.